Analysis Overview
SHA256
4ec28e96b91666c9621996f7a3534c2b8b505b834189468142f1638f96678210
Threat Level: Likely malicious
The file 994baec2cfe0477cd7ca8a1a1c2c4817_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Checks Android system properties for emulator presence.
Checks Qemu related system properties.
Loads dropped Dex/Jar
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
Queries information about active data network
Queries information about the current Wi-Fi connection
Requests dangerous framework permissions
Uses Crypto APIs (Might try to encrypt user data)
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks CPU information
Checks memory information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-05 21:25
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-05 21:25
Reported
2024-06-05 21:29
Platform
android-x86-arm-20240603-en
Max time kernel
68s
Max time network
177s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /data/local/su | N/A | N/A |
| N/A | /data/local/bin/su | N/A | N/A |
| N/A | /data/local/xbin/su | N/A | N/A |
| N/A | /sbin/su | N/A | N/A |
Checks Android system properties for emulator presence.
| Description | Indicator | Process | Target |
| Accessed system property | key: ro.product.name | N/A | N/A |
| Accessed system property | key: ro.serialno | N/A | N/A |
| Accessed system property | key: ro.bootloader | N/A | N/A |
| Accessed system property | key: ro.bootmode | N/A | N/A |
| Accessed system property | key: ro.hardware | N/A | N/A |
| Accessed system property | key: ro.product.device | N/A | N/A |
| Accessed system property | key: ro.product.model | N/A | N/A |
Checks Qemu related system properties.
| Description | Indicator | Process | Target |
| Accessed system property | key: qemu.sf.fake_camera | N/A | N/A |
| Accessed system property | key: ro.kernel.android.qemud | N/A | N/A |
| Accessed system property | key: ro.kernel.qemu.gles | N/A | N/A |
| Accessed system property | key: ro.kernel.qemu | N/A | N/A |
| Accessed system property | key: init.svc.qemud | N/A | N/A |
| Accessed system property | key: init.svc.qemu-props | N/A | N/A |
| Accessed system property | key: qemu.hw.mainkeys | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/data/com.cpt.bwin223120/.jiagu/classes.dex | N/A | N/A |
| N/A | /data/data/com.cpt.bwin223120/.jiagu/classes.dex!classes2.dex | N/A | N/A |
| N/A | /data/data/com.cpt.bwin223120/.jiagu/tmp.dex | N/A | N/A |
| N/A | /data/data/com.cpt.bwin223120/.jiagu/tmp.dex | N/A | N/A |
| N/A | /data/data/com.cpt.bwin223120/.jiagu/tmp.dex | N/A | N/A |
Domain associated with commercial stalkerware software, includes indicators from echap.eu.org
| Description | Indicator | Process | Target |
| N/A | s.appjiagu.com | N/A | N/A |
| N/A | b.appjiagu.com | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.cpt.bwin223120
chmod 755 /data/data/com.cpt.bwin223120/.jiagu/libjiagu.so
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.cpt.bwin223120/.jiagu/tmp.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/data/com.cpt.bwin223120/.jiagu/oat/x86/tmp.odex --compiler-filter=quicken --class-loader-context=&
sh -c ps
ps
ps daemonsu
ps | grep su
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.169.10:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | www.app789app9977okok.com | udp |
| US | 1.1.1.1:53 | log.tbs.qq.com | udp |
| HK | 129.226.107.80:80 | log.tbs.qq.com | tcp |
| US | 38.14.33.5:443 | www.app789app9977okok.com | tcp |
| US | 1.1.1.1:53 | www.bcsowowoaakk61788.com | udp |
| US | 38.14.33.4:443 | www.bcsowowoaakk61788.com | tcp |
| US | 1.1.1.1:53 | www.bwn78benzcok8878.com | udp |
| GB | 142.250.178.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | s.appjiagu.com | udp |
| US | 104.192.110.60:80 | s.appjiagu.com | tcp |
| GB | 216.58.204.74:443 | semanticlocation-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | b.appjiagu.com | udp |
| CN | 180.163.249.208:80 | b.appjiagu.com | tcp |
| CN | 106.63.25.33:80 | b.appjiagu.com | tcp |
Files
/data/data/com.cpt.bwin223120/.jiagu/libjiagu.so
| MD5 | e5a53000766ebc433b27d6a66ec4f555 |
| SHA1 | 2c8f53f1c03aec2005bcad67d731f07261dabde0 |
| SHA256 | 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e |
| SHA512 | 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d |
/data/data/com.cpt.bwin223120/.jiagu/classes.dex
| MD5 | 3299f3988d8167a7abc1ae232df09fb5 |
| SHA1 | f17be1aff064aeb00036ead09603641165aa62d4 |
| SHA256 | fc1780d4d1c021ee4f6f1481f6aa3855e9134973724ec9c69f5ee823edca0b50 |
| SHA512 | 1dcddd58abeb3a6cfcf3d90767f6b4815b7595e0d5512314a8cebb6315c128064066619640ae9ef4db4f3c43c2a8f25304036c5201af6e351e8ed2c9031f1178 |
/data/data/com.cpt.bwin223120/.jiagu/classes.dex
| MD5 | 0de3243d5a032793a3626be5126e6af7 |
| SHA1 | 0d006e42b6d6e6f9fdc732c4247bf0bb2679949d |
| SHA256 | d7ed8d29c0d97867e41c566f4df4c1bd8a8b8b02d924c9d33bcd33d171a2cbb0 |
| SHA512 | d596ebabfdfd9cd82a7b50a9aacde1e7d3af2bd0c22983f074642a18e85d8c5021cfc6f86dd1cdd147580076bd7d205d1060f034115f2143825ae4d3d98436af |
/data/data/com.cpt.bwin223120/.jiagu/classes.dex!classes2.dex
| MD5 | 413c3aa20e32042b2f76b870d30cd0e2 |
| SHA1 | f5b26a1373231b448bc666d0dafc96523cf0d06a |
| SHA256 | 61c44ad8e3a762b9519b3091913e7add8fdef86cdf20d7b753ee9eff14fe9ccd |
| SHA512 | 6252ab622a4c11978b6634a1ceba8df12bf9e0f67357d8bd1ca828fbb317a5b108275c2a95cdae9e32028aedafe9cd2c0374079343a872b6a1c9c951fe032bea |
/data/data/com.cpt.bwin223120/.jiagu/tmp.dex
| MD5 | f1771b68f5f9b168b79ff59ae2daabe4 |
| SHA1 | 0df6a835559f5c99670214a12700e7d8c28e5a42 |
| SHA256 | 9f8898ce35a47aeafced99ea0d17c33e73037bb2307c7688e50819966f4ae939 |
| SHA512 | dae27d19727b89bec49398503baa6801640540355688dfabbe689c97545295c2c2d9b0f0dcd7cbc4cfbf701d0c0c3289e647a152f49ff242d1ecc741efe4145d |
/data/data/com.cpt.bwin223120/files/.jglogs/.jg.ri
| MD5 | 1f8cf19b0587c60a6bea6f1b5a6ebc94 |
| SHA1 | 585de01e2482b1bbafce7e1c77327efc8d7480eb |
| SHA256 | fed7a7c188eae059173781cf640bf3d2fbb866dc8135366497e98384dd0d0726 |
| SHA512 | cdcbb4f103328b18b054c44c5d842962c1b93dc51f83c6dd4de53c103b893ef02bdf96a92496af27f57705532906e04856f83d64f3b93744048ccf11862122c4 |
/data/data/com.cpt.bwin223120/files/.jiagu.lock
| MD5 | 80a4de623f1b90499c8d3eca89ea93a2 |
| SHA1 | 24a5287614c4097432f519c0f4c5388717df9a79 |
| SHA256 | 2fc10e27f33e4f7a6a6333b22ce01b81aefa35591dc05844bc35c5f239b7fe77 |
| SHA512 | 59499f5bc6bce5c30643c3a0a062c8d07b0f716a84efe5a475fd7ade59b7fc518280f2c1c1ce8c843f8d273ecdfb833042bd061f67266a0cd5adbbdf2233ba47 |
/data/data/com.cpt.bwin223120/files/.jglogs/.jg.ac
| MD5 | 12654ca15675d7caaf9343811a0de1d8 |
| SHA1 | ed368f8b88cbbdd5190e265b3bc0be0acc48c380 |
| SHA256 | af25853708c1ba1105b97bc981fb2ff231abfc60419ecbe39a146e892aface15 |
| SHA512 | e6db6c849ddad2b35a1316b345493536b6db9618b4c125cd20273771f04c8046bac40c997e2503aaaca9aa82ad3cc86a9ed889f52c10d699fe1ec3c18fbea328 |
/data/data/com.cpt.bwin223120/files/.jglogs/.jg.ic
| MD5 | 62b32664152bec557e40a652aa2f0e54 |
| SHA1 | 2d4686bc49b1fd3a5a58a3a604b241d4b070ef34 |
| SHA256 | e320eb0a0fb88954aef401706cebc3f4b4a1e6af8f0806aa85d93a4212ba7013 |
| SHA512 | b801a6245e75b0b867efd8f83609a18a54450f5a526fccaf3db003ff7a6a3ead1140d802bef1108d15512bd5ba82d9312adaff0385c092f3f06f5971e32402d8 |
/data/data/com.cpt.bwin223120/files/.jglogs/.jg.di
| MD5 | 62a229e6a640a2765fc53abf3f116db1 |
| SHA1 | 88add39e843f14d8505bba12133238df76f4b927 |
| SHA256 | 46eec815543eaec68d633a66b7385b04ac630f63afacd1a24d04286aa5163114 |
| SHA512 | 8d3f7aadfbf1b026ebc11c14db1b407608feb2fd870952db5679b2813c4619dde6b6d5ec544569c2471fa3fc5ca7894cc788a1ee679d1d10ce86fdad0badacf6 |
/storage/emulated/0/360/.iddata
| MD5 | 9e0819b75df7399758c847a86717a238 |
| SHA1 | bf0916a1ed23c095cc0ba59ad559a3404a879cfd |
| SHA256 | 5b0ea1ef9cffdb9f50689762bd02f14fab2ab78bff0525e963d0186c28f9add7 |
| SHA512 | 898829ac9985de6acc730b6641b61dae7aca1a617e804c38a6ecd19d5681f4837dbd9687d59b2e3df55b3ead5e073dcddf5da473afd76f4980aff328d09ea447 |
/storage/emulated/0/360/.deviceId
| MD5 | 1d8d16c4e3b19ebf18988530d9b9a757 |
| SHA1 | bc94c1cce05cd848a53271ecb9c5311e27ffebf5 |
| SHA256 | abd87140da8de3d0aa39a24a8d52bfe7b2eb28f7a3d505f205471c7e8f4964d7 |
| SHA512 | 4562d1eedbc5c2dd7f25cd1c70343053fd451026403585182b142a64f17016c1bd0bf6ad51667b439b220e425640e55fbbda08517e7106376cdc220a4555da82 |
/storage/emulated/0/Android/data/com.cpt.bwin223120/files/tbslog/tbslog.txt
| MD5 | afedcb4c69f9f13263b03d6413a680a0 |
| SHA1 | f0e1fbdcacb9b1189fea667e48d2c32f78c5d361 |
| SHA256 | e0908c46970f671caaf0dcf1e2350d6b074ed0cbd55491e58bae950969f2be8a |
| SHA512 | 6ed97a5c08766c3a430e06453b0296ef635b2e5530bb9fb05b98e5deb0317449baa82569d0b7b142a0bd9677864707e15c4f1aada21ef861ca1529ef54777ca5 |
/data/data/com.cpt.bwin223120/files/jpush_stat_cache.json
| MD5 | 602fb4b788a4ea4a7795c79aa6ddf1d3 |
| SHA1 | de831f21ae6937106d5c66bbd2c31c66c6c06b34 |
| SHA256 | 0d3b47699bbf5c2ae60c351ec3a04dcd6c806fb1cca3e378afe7cbd3c6dc3e44 |
| SHA512 | 0aec157e6ba4284145e1294a5ab40b373bfd767bcb5944796c4ae90d3f1de92953580028875581bace140457b652286af68bfa227bd41d5ce47d8389ab70e8ff |
/data/data/com.cpt.bwin223120/files/.jglogs/.jg.di
| MD5 | cc3c69488a39702b14e6d9f887755a16 |
| SHA1 | 80bbd667766cadcb5db39c27e45f3660ef54493b |
| SHA256 | 2e05d8b34ca1dc42a437416f30a16b4c0e9c622df9c64ecc21dbd279497ee929 |
| SHA512 | 644b8ffdb32167b8b461f6b49c554511e3a0bcf73b134633f1dd064d9bfaa06505d875c3dfecf2d76808626db0c79e5e1a8f91b17457b3361dc5ce5b4e5b33dc |
/data/data/com.cpt.bwin223120/files/.jglogs/.jg.ac
| MD5 | df95c382faa983b81ea26bf92db760d0 |
| SHA1 | 4cff7140bedc83f97c68701042812f292031497f |
| SHA256 | 11d837346f49c959241c60f9d53891c2912b6642b1c9104328f8b1280dc20dd4 |
| SHA512 | 315fa5dbcbcd2b952b10ae662b6cc4cb9f1a3b6c7a7de00e71b180e43d005f3c3ae8b888e8343413f9b65ea818116906e60b243b7ddbacb5485f38a522841335 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-05 21:25
Reported
2024-06-05 21:29
Platform
android-x64-arm64-20240603-en
Max time kernel
5s
Max time network
140s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.cpt.bwin223120/[email protected] | N/A | N/A |
| N/A | /data/user/0/com.cpt.bwin223120/[email protected]!classes2.dex | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries information about the current Wi-Fi connection
| Description | Indicator | Process | Target |
| Framework service call | android.net.wifi.IWifiManager.getConnectionInfo | N/A | N/A |
Processes
com.cpt.bwin223120
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.16.238:443 | tcp | |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.16.232:443 | ssl.google-analytics.com | tcp |
| GB | 172.217.169.68:443 | tcp | |
| GB | 172.217.169.68:443 | tcp |
Files
/data/user/0/com.cpt.bwin223120/.jiagu/libjiagu.so
| MD5 | e5a53000766ebc433b27d6a66ec4f555 |
| SHA1 | 2c8f53f1c03aec2005bcad67d731f07261dabde0 |
| SHA256 | 78e4ea857f10c2df6c7b94f0584524b52ecc099ed29478fe3964037b8a86ed2e |
| SHA512 | 370a1cb93b14556ad861724f4e9995c9a4c6d37cf2d570f888d1c6000c66d27ac63496b0703361e9fc9bc7f309b7aa4407c5f339d186b0a5b72520d23d04b68d |
/data/user/0/com.cpt.bwin223120/.jiagu/classes.dex
| MD5 | 3299f3988d8167a7abc1ae232df09fb5 |
| SHA1 | f17be1aff064aeb00036ead09603641165aa62d4 |
| SHA256 | fc1780d4d1c021ee4f6f1481f6aa3855e9134973724ec9c69f5ee823edca0b50 |
| SHA512 | 1dcddd58abeb3a6cfcf3d90767f6b4815b7595e0d5512314a8cebb6315c128064066619640ae9ef4db4f3c43c2a8f25304036c5201af6e351e8ed2c9031f1178 |
/data/user/0/com.cpt.bwin223120/[email protected]
| MD5 | 0de3243d5a032793a3626be5126e6af7 |
| SHA1 | 0d006e42b6d6e6f9fdc732c4247bf0bb2679949d |
| SHA256 | d7ed8d29c0d97867e41c566f4df4c1bd8a8b8b02d924c9d33bcd33d171a2cbb0 |
| SHA512 | d596ebabfdfd9cd82a7b50a9aacde1e7d3af2bd0c22983f074642a18e85d8c5021cfc6f86dd1cdd147580076bd7d205d1060f034115f2143825ae4d3d98436af |
/data/user/0/com.cpt.bwin223120/[email protected]!classes2.dex
| MD5 | 413c3aa20e32042b2f76b870d30cd0e2 |
| SHA1 | f5b26a1373231b448bc666d0dafc96523cf0d06a |
| SHA256 | 61c44ad8e3a762b9519b3091913e7add8fdef86cdf20d7b753ee9eff14fe9ccd |
| SHA512 | 6252ab622a4c11978b6634a1ceba8df12bf9e0f67357d8bd1ca828fbb317a5b108275c2a95cdae9e32028aedafe9cd2c0374079343a872b6a1c9c951fe032bea |
/data/data/com.cpt.bwin223120/files/.jglogs/.jg.ri
| MD5 | 64fa856987d101c4339e55facd15edde |
| SHA1 | 43447a1b9b4c98aa4ae547f768484499f303146b |
| SHA256 | b926783cce5de01db72bb88d216b66f6862720e6894fc417640e8224e18858c6 |
| SHA512 | 012779d9660b630f7afdf20a4876a6f56dc68c4b706327d51469396b9b4a09e9cc95e0a417ef63ee18a1bc04edd6da34e3a557b3756c5068869dbec99d8dcf94 |
/data/data/com.cpt.bwin223120/files/.jiagu.lock
| MD5 | eea79e3a6f97d4b939b5b483fb5b13e5 |
| SHA1 | 22498964a1f10d96f6044038290afd6243e69f50 |
| SHA256 | 65c89010acea5f116926b68c7eb70070faf7ee2aaf0bc0acd56a5eb930548554 |
| SHA512 | c9117c51a67a61abccc8c7abf5f10908c072696c1e3cfdf1c368347582e60db0f597e47dcacf30d4052fcc4ffa80a83d25b1221888eaec9f401f6410e424d019 |
/data/data/com.cpt.bwin223120/files/.jglogs/.jg.di
| MD5 | 884be466f78ab2b4e0bd1e3fba08d1b0 |
| SHA1 | 88d63c9441cbc0fdbb93a102ae461dd65cfcd3c8 |
| SHA256 | 8d88445f3ae13f696cc82134c52c84641bc9e28d02e704b71b8de3ab3deb11b8 |
| SHA512 | bd199a6ee5212a886669a6fb4ac862654f7f934c00ae7812f7435d1c99141e8c383412e992a294c890381d7feda2c492452ff9ad4db613d615e73c0dfb5e70d7 |
/storage/emulated/0/360/.iddata
| MD5 | 46d3711aafaa31e61af51ef3ca2c9864 |
| SHA1 | 0b2c95ca3052525d0a43ac1309c58a2933638115 |
| SHA256 | 7bc88ac63475321d17722cbb2e02c264a736b4274ce40794bd7163dcb49107d4 |
| SHA512 | 8c938fce120c9cfeda3b81b624ea57f9a984ad88411a29d4d4d1c271eb3cfaa4bef39f8a31cf2c6dd26be51d4625da51d6ce5957473c06ca601c58e4057a6c5e |
/storage/emulated/0/360/.deviceId
| MD5 | 4c4c5285293d5141f582aefa4e038669 |
| SHA1 | e01852a72e5a8e6f7d63a21426b515118196047b |
| SHA256 | 36c5c63f39ddf7a6a9c01946e4f78b95790aa734176802e793e95724a1b5b731 |
| SHA512 | 097aa673273e307f7bfb7c08861ad389d4b5f7fae55d972a5c1636aa66d0b8d23b5eb9b696cefe0e5b942f23969dabf0147397aeca85fb9a4d75e0473104e399 |